FreeBSD : PostgreSQL -- anonymous remote access data corruption vulnerability (3f332f16-9b6b-11e2-8fe9-08002798f6ff)

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

PostgreSQL project reports :

The PostgreSQL Global Development Group has released a security update
to all current versions of the PostgreSQL database system, including
versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a
high-exposure security vulnerability in versions 9.0 and later. All
users of the affected versions are strongly urged to apply the update
*immediately*.

A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1899), makes it possible for a connection request containing a
database name that begins with '-' to be crafted that can damage or
destroy files within a server's data directory. Anyone with access to
the port the PostgreSQL server listens on can initiate this request.
This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of
NTT Open Source Software Center.

Two lesser security fixes are also included in this release :
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1900), wherein random numbers generated by contrib/pgcrypto functions
may be easy for another database user to guess (all versions), and
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1901), which mistakenly allows an unprivileged user to run commands
that could interfere with in-progress backups (for versions 9.x only).

See also :

http://www.nessus.org/u?dae8f3ca

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 65841 ()

Bugtraq ID:

CVE ID: CVE-2013-1899
CVE-2013-1900
CVE-2013-1901

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now